Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Running Web Servers - Would using pfBlockerNG be good to use?

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 304 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      carrzkiss
      last edited by

      Hello, everyone.
      References information users have already provided for setting up pfBlockerNG.
      Re: IP Block List - Do I need pfBlockerNG to block IP Addresses?

      I run several websites, and a few of them receive 100s-1000s of hits a day from troublesome IP address blocks that are listed as bad on AbuseIPDB.com.

      They are hitting the site like this (Linked to the AbuseIPDB).

      • 11/13/2025 2:55:51 PM - 217.113.194.85
      • 11/13/2025 2:56:08 PM - 217.113.194.246
      • 11/13/2025 2:56:28 PM - 217.113.194.87
      • 11/13/2025 2:56:37 PM - 115.231.78.8
      • 11/13/2025 2:56:38 PM - 57.141.4.38
      • 11/13/2025 2:56:42 PM - 57.141.4.26
      • 11/13/2025 2:56:42 PM - 47.128.51.112
      • 11/13/2025 2:56:42 PM - 47.128.51.113
      • 11/13/2025 2:56:49 PM - 217.113.194.87
      • 11/13/2025 2:57:07 PM - 217.113.194.82
      • 11/13/2025 2:57:15 PM - 57.141.4.53
      • 11/13/2025 2:57:24 PM - 217.113.194.88
      • 11/13/2025 2:57:36 PM - 47.128.54.222
      • 11/13/2025 2:57:44 PM - 217.113.194.87
      • 11/13/2025 2:57:46 PM - 57.141.4.77
      • 11/13/2025 2:58:00 PM - 217.113.194.219
      • 11/13/2025 2:58:15 PM - 217.113.194.90
      • 11/13/2025 2:58:17 PM - 57.141.4.30
      • 11/13/2025 2:58:28 PM - 47.128.22.6
      • 11/13/2025 2:58:28 PM - 47.128.30.222
      • 11/13/2025 2:58:31 PM - 217.113.194.87
      • 11/13/2025 2:58:47 PM - 57.141.4.32
      • 11/13/2025 2:58:47 PM - 217.113.194.89

      Not all these IPs are getting blocked; it depends on whether they are doing something bad on the site, like SQL Injection or XSS attacks. If not, then they are just cataloged in our database for visitor counts.
      The bad part is that these are false visits, and that is not how I want to count hits.

      So the question is this.
      Will using the pfBlockerNG be suitable for websites?
      I do not want to block potential visitors, but if they are on pfBlockerNG, then they should not be good IPs, correct?

      Thanks for all the information on this.
      It would be nice to get legitimate hits, instead of all this mess I am currently receiving on these sites.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @carrzkiss
        last edited by johnpoz

        @carrzkiss those 47.128 addresses are amazon out of singapore - I seriously doubt legit users are coming from there.

        you prob have like 10 legit users a day - the rest is junk ;)

        That 115.231 is out of china - you have a lot of users in china? :)

        If ip/network is listed in a abuse db - I would block it.. and all the stupid scanners as well like shodan, etc.

        Those scanners are doing nobody any good other then creating a db bad people can use for list of ips with port X open, etc..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.11 | Lab VMs 2.8.1, 25.11

        C 1 Reply Last reply Reply Quote 0
        • C Offline
          carrzkiss @johnpoz
          last edited by

          @johnpoz So, using pfBlockerNG would be the best way to combat this issue?
          And I do get people from other countries, but they're not hitting the page every second like that.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @carrzkiss
            last edited by

            @carrzkiss yeah pfblocker is easy to create lists with. I use it to both block and allow lists that can talk to me.

            As to users in other countries - how many connections would be flowing through amazon data services - my bet would be zero ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.11 | Lab VMs 2.8.1, 25.11

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              carrzkiss @johnpoz
              last edited by

              @johnpoz
              The information/instructions you have in my other thread.
              IP Block List - Do I need pfBlockerNG to block IP Addresses?

              You say you have both Allow and Deny.
              The Allow will be hard to manage, as I do not know who will be visiting.
              I see on your Allow, that you have a [US] list. I get a lot of SQL Injection attacks from US IPs. Now, whether they are knowingly doing this is a different story.

              And yes, you are right about the Amazon visitors. Most likely not.

              I will look into what you have provided in the other thread to get my head wrapped around what needs to be done to get it right, without any downtime for the web servers.

              Any extra advice, or maybe a good video explaining it, would be handy.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @carrzkiss
                last edited by

                @carrzkiss said in Running Web Servers - Would using pfBlockerNG be good to use?:

                Any extra advice, or maybe a good video explaining it

                Not a video instruction fan to be honest - why sit through a 20 min video for 20 seconds of reading ;)

                Proper placement of rules key - need to understand that top down first rule to trigger wins, floating are evaluated before interface rules.

                Maybe you don't need allow rules. Depends on who is going to talk to your service.. For example I know my users of plex are going to be coming from US or Belgium.. And a few specific IPs that might be outside those too regions - so this is allowed.. But I also have zero use for stuff like shodan, or censys, digital ocean and few other bad ip/network lists - even if in the from a us IP. So I block those on a floating rule.. If rule doesn't trigger then it would hit the interface rule that is an allow. So this for sure keeps the bad stuff from talking to any of my ports, but my allows allow the guys in I want to allow. Since I have no use for anyone from a china IP talking to my services. Even if they are not on a known bad list as example.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.11 | Lab VMs 2.8.1, 25.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.